Argo CD configuration
What is Argo CD?
Argo CD is the TDP GitOps continuous delivery tool.
It watches a Git repository and ensures the Kubernetes cluster always matches what is in Git — when you change a configuration file in the repository, Argo CD detects it and applies it to the cluster automatically.
In TDP Kubernetes, Argo CD is mainly used to manage the lifecycle of TDP charts using the App of Apps model: a root Argo CD Application that manages other Applications, each responsible for one TDP component.
This is described in detail in the installation and upgrade guides.
Argo CD uses Helm to render charts and apply resources to the cluster. The difference is that you do not run helm upgrade manually — Argo CD does it automatically when it detects Git changes. The configuration flow (values files, secrets) stays the same.
The tdp-argo chart packages Argo CD 2.12.1 as a wrapper over the upstream argo-cd chart.
Values structure (Helm)
All values must be under tdp-argo: (dependency alias in Chart.yaml).
tdp-argo:
server:
resources:
requests:
cpu: "250m"
memory: "256Mi"
Prerequisites: CRDs (tdp-crds)
Required to install CRDs before the main chart:
helm upgrade --install tdp-crds \
oci://registry.tecnisys.com.br/tdp/charts/tdp-crds \
-n <namespace> --create-namespace
The main chart keeps tdp-argo.crds.install=false to avoid Helm CRD lifecycle conflicts. tdp-crds consolidates CRDs for all platform components (Argo CD, Kafka, NiFiKop, ClickHouse, OpenMetadata, and cert-manager) in a single release.
Installation
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <namespace> --create-namespace
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <namespace> --create-namespace
Access and credentials
- User:
admin - Initial password: Secret
argocd-initial-admin-secret:
kubectl -n <namespace> get secret argocd-initial-admin-secret \
-o jsonpath="{.data.password}" | base64 -d
Public URL (configs.cm.url)
Align the URL with how users reach Argo CD (relevant for Dex/LDAP):
tdp-argo:
configs:
cm:
url: https://<host>
LDAP / Dex and RBAC
See Security — Argo CD.
NetworkPolicy
By default tdp-argo.global.networkPolicy.create: false (no NetworkPolicies).
To create the upstream allow-all policies:
tdp-argo:
global:
networkPolicy:
create: true
defaultDenyIngress: false
Upstream templates do not allow customizing rules via Helm values; for real restriction, apply your own NetworkPolicy. Generic example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: argocd-restrict-ingress
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: In
values:
- <trusted-namespace>
Verification
Install ConfigMap
kubectl get configmap tdp-argo-argo-install-properties -n <namespace> \
-o jsonpath='{.data.install\.properties}' | tail -10
RBAC
kubectl get serviceaccount -n <namespace> | grep argo
kubectl get role -n <namespace> | grep argo
kubectl get rolebinding -n <namespace> | grep argo
Dex (LDAP)
kubectl get pods -n <namespace> | grep dex
kubectl get svc -n <namespace> | grep dex
Main parameters
| Parameter | Description |
|---|---|
tdp-argo.crds.install | Install CRDs from main chart (false) |
tdp-argo.dex.enabled | Dex (required for LDAP) |
tdp-argo.configs.cm.url | External URL |
tdp-argo.configs.secret.* | Secrets (e.g. LDAP bind) |
tdp-argo.rbacConfig | RBAC policies |
tdp-argo.global.networkPolicy.* | Upstream NetworkPolicies |
Uninstall
helm -n <namespace> uninstall <release>
Optional cleanup: remove orphaned PVC, ConfigMap, or Secret if your cluster policy requires it.